Bug 584645 (CVE-2010-1173)
Summary: | CVE-2010-1173 kernel: sctp: crash due to malformed SCTPChunkInit packet | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Eugene Teo (Security Response) <eteo> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | unspecified | CC: | arozansk, bhu, davej, dhoward, jkacur, jolsa, jpirko, kmcmartin, lgoncalv, lwang, nhorman, osoukup, pcfe, plyons, pmatouse, rcvalle, rdassen, security-response-team, tao, tcallawa, vgoyal, williams | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2012-03-28 08:38:18 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 584653, 584654, 584655, 584656, 584657, 584658, 584659, 593537, 593538, 593539 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Eugene Teo (Security Response)
2010-04-22 05:39:14 UTC
Created attachment 409211 [details]
patch to pre-allocate error chunk w/ proper space
Heres the patch I've written. It pre-allocates the error chunk assuming worst case conditions, which is that each parameter will be in error (requiring its own sctp errror header).
*** Bug 586631 has been marked as a duplicate of this bug. *** Consider this public. http://article.gmane.org/gmane.linux.network/159531 For completeness: The patch that was committed to the upstream networking git: http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commitdiff;h=5fa782c2f5ef6c2e4f04d3e228412c9b4a4c8809 It has been merged into the vanilla kernel git: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=032b734d291e3532221b6cf7643a5f41c6261941 (In reply to comment #25) > For completeness: > > The patch that was committed to the upstream networking git: > > http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commitdiff;h=5fa782c2f5ef6c2e4f04d3e228412c9b4a4c8809 > It has been merged into the vanilla kernel git: > > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=032b734d291e3532221b6cf7643a5f41c6261941 ^^ AFAICS, it's not fixed in upstream yet. What are you talking about, eugene? I sent the patch up, & it went into net-2.6. you were copied on the mail, and have the commit above. (In reply to comment #27) > What are you talking about, eugene? I sent the patch up, & it went into > net-2.6. you were copied on the mail, and have the commit above. but not into linux-2.6 yet. But I guess it will be committed there eventually. (In reply to comment #28) > (In reply to comment #27) > > What are you talking about, eugene? I sent the patch up, & it went into > > net-2.6. you were copied on the mail, and have the commit above. > > but not into linux-2.6 yet. But I guess it will be committed there eventually. It is now. Upstream commit: http://git.kernel.org/linus/5fa782c2f5ef6c2e4f04d3e228412c9b4a4c8809 We will need this patch too: http://marc.info/?l=linux-sctp&m=127372809930656&w=2 commit 5fa782c2f5ef6c2e4f04d3e228412c9b4a4c8809 sctp: Fix skb_over_panic resulting from multiple invalid \ parameter errors (CVE-2010-1173) (v4) cause 'error cause' never be add the the ERROR chunk due to some typo when check valid length in sctp_init_cause_fixed(). Statement: Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2010-1173. This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 3 as it did not include support for SCTP. Future kernel updates in Red Hat Enterprise Linux 4, 5 and Red Hat Enterprise MRG may address this flaw. For more information, please see http://kbase.redhat.com/faq/docs/DOC-31052. This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2010:0474 https://rhn.redhat.com/errata/RHSA-2010-0474.html This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0504 https://rhn.redhat.com/errata/RHSA-2010-0504.html The fix is in upstream release kernels 2.6.34, 2.6.33.6 and 2.6.32.16 This issue has been addressed in following products: MRG for RHEL-5 Via RHSA-2010:0631 https://rhn.redhat.com/errata/RHSA-2010-0631.html This issue has been addressed in mrg1-3 |